According to an article published by PcMag, LastPass was breached in 2022 by a 3-year-old vulnerability! You would expect that a security vendor is remediating all discovered vulnerabilities swiftly. But that on its own raises a few questions. Questions like ‘Do you really scan all your assets?’ and ‘Do you really track remediation efforts?’. These are questions that every CISO/Security Manager should be asking its vulnerability scanning team. But is it that simple?

Let’s start with the basics. How do you know you are really scanning the entire IT/OT/IOT environment of the company? As most of the devices are relying on the TCP/IP protocol to communicate, somewhere in the company somebody is responsible for maintaining which IP range is used where in the network. This is the starting point for determining if you really are scanning every active IP range for known vulnerabilities. You can track this by implementing this KPI:

KPI formula to calculate the percentage of scanned IP ranges

If you track this KPI on a weekly interval, you know how accurate the vulnerability scanning is. But how do you know the ‘Active IP ranges’ is accurate? This requires a somewhat data-scientific approach.

Based on the available and centrally collected logging from devices like DHCP servers, Firewalls, IDS/IPS, and other types of network equipment, it is possible to determine with a certain accuracy which IP addresses are used on the network. This list should be compared with the active IP ranges. If unknown IP ranges are discovered, then not only the IP Administration should be updated, but it is equally important to investigate why this has happened.

Even if the KPI ‘Scanned IP ranges’ is 100%, it does not mean all assets are scanned. To bridge this gap, I will introduce three KPIs. ‘Asset scanned’, ‘Asset visibility’, and ‘Asset registration’. The KPI ‘Asset scanned’ is checking that each discovered asset is also checked for known vulnerabilities. The formula for this KPI is:

KPI formula to calculate the percentage of scanned assets

The KPI ‘Asset visibility’ is checking if all registered assets (the CMDB) are also scanned for known vulnerabilities and/or are visible during the discovery scan. The formula for this KPI is:

KPI formula to calculate the percentage of registered discovered assets

The KPI ‘Asset registration’ is ensuring that each discovered asset, is also registered in the CMDB. The formula for this KPI is:

KPI formula to calculate the percentage of discovered registered assets

But all these KPIs together don’t provide the insights you need to determine if remediating known discovered vulnerabilities is effective. And here effective means that a discovered known vulnerability is remediated on time. Somewhere in the IT Security policy, there should be a section describing how often a vulnerability and discovery scan should be conducted. For non-internet-facing assets, weekly vulnerability and discovery scanning should be enough in most cases. However, for internet-facing, I do suggest conducting vulnerability and discovery scanning on an hourly basis. Your adversaries are also scanning your internet-facing assets. And at the moment they discover a hole in your defense, they may strike.

Once you have conducted more than one complete vulnerability scan on your environment, you can check if previously discovered known vulnerabilities are remediated on time.

On-time remediation can be determined by checking the number of days between the first time the known vulnerability was detected on an asset and the last time the known vulnerability was detected. If the IT Security policy describes that critical-rated vulnerabilities need to be remediated within 24 hours, then a critical-rated vulnerability is not remediated on time if the number of days is equal to or higher than 1. Based on this logic, the KPI ‘On-time remediation’ can be calculated using the following formula:

KPI formula to calculate the percentage of on-time remediated vulnerabilities

If you put all these KPIs in a report and you track them on a weekly base, you can determine if are you really remediating all the discovered vulnerabilities effectively. Especially when you set the goal for each KPI at 99% or higher.

KPI Report

Important: even if you are really remediating all the discovered vulnerabilities on time, you might still be at risk, because this is only addressing the known vulnerabilities. If you are using customized software, you also need to conduct penetration tests on these (web) applications to determine if these (web) applications are safe.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.